1. 24 Nov, 2019 9 commits
    • Pavel Tatashin's avatar
      arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault · 70366259
      Pavel Tatashin authored
      commit 94bb804e upstream.
      
      A number of our uaccess routines ('__arch_clear_user()' and
      '__arch_copy_{in,from,to}_user()') fail to re-enable PAN if they
      encounter an unhandled fault whilst accessing userspace.
      
      For CPUs implementing both hardware PAN and UAO, this bug has no effect
      when both extensions are in use by the kernel.
      
      For CPUs implementing hardware PAN but not UAO, this means that a kernel
      using hardware PAN may execute portions of code with PAN inadvertently
      disabled, opening us up to potential security vulnerabilities that rely
      on userspace access from within the kernel which would usually be
      prevented by this mechanism. In other words, parts of the kernel run the
      same way as they would on a CPU without PAN implemented/emulated at all.
      
      For CPUs not implementing hardware PAN and instead relying on software
      emulation via 'CONFIG_ARM64_SW_TTBR0_PAN=y', the impact is unfortunately
      much worse. Calling 'schedule()' with software PAN disabled means that
      the next task will execute in the kernel using the page-table and ASID
      of the previous process even after 'switch_mm()', since the actual
      hardware switch is deferred until return to userspace. At this point, or
      if there is a intermediate call to 'uaccess_enable()', the page-table
      and ASID of the new process are installed. Sadly, due to the changes
      introduced by KPTI, this is not an atomic operation and there is a very
      small window (two instructions) where the CPU is configured with the
      page-table of the old task and the ASID of the new task; a speculative
      access in this state is disastrous because it would corrupt the TLB
      entries for the new task with mappings from the previous address space.
      
      As Pavel explains:
      
        | I was able to reproduce memory corruption problem on Broadcom's SoC
        | ARMv8-A like this:
        |
        | Enable software perf-events with PERF_SAMPLE_CALLCHAIN so userland's
        | stack is accessed and copied.
        |
        | The test program performed the following on every CPU and forking
        | many processes:
        |
        |	unsigned long *map = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE,
        |				  MAP_SHARED | MAP_ANONYMOUS, -1, 0);
        |	map[0] = getpid();
        |	sched_yield();
        |	if (map[0] != getpid()) {
        |		fprintf(stderr, "Corruption detected!");
        |	}
        |	munmap(map, PAGE_SIZE);
        |
        | From time to time I was getting map[0] to contain pid for a
        | different process.
      
      Ensure that PAN is re-enabled when returning after an unhandled user
      fault from our uaccess routines.
      
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Reviewed-by: default avatarMark Rutland <mark.rutland@arm.com>
      Tested-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: <stable@vger.kernel.org>
      Fixes: 338d4f49 ("arm64: kernel: Add support for Privileged Access Never")
      Signed-off-by: default avatarPavel Tatashin <pasha.tatashin@soleen.com>
      [will: rewrote commit message]
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      70366259
    • David Hildenbrand's avatar
      mm/memory_hotplug: fix updating the node span · f8b09a04
      David Hildenbrand authored
      commit 656d5711 upstream.
      
      We recently started updating the node span based on the zone span to
      avoid touching uninitialized memmaps.
      
      Currently, we will always detect the node span to start at 0, meaning a
      node can easily span too many pages.  pgdat_is_empty() will still work
      correctly if all zones span no pages.  We should skip over all zones
      without spanned pages and properly handle the first detected zone that
      spans pages.
      
      Unfortunately, in contrast to the zone span (/proc/zoneinfo), the node
      span cannot easily be inspected and tested.  The node span gives no real
      guarantees when an architecture supports memory hotplug, meaning it can
      easily contain holes or span pages of different nodes.
      
      The node span is not really used after init on architectures that
      support memory hotplug.
      
      E.g., we use it in mm/memory_hotplug.c:try_offline_node() and in
      mm/kmemleak.c:kmemleak_scan().  These users seem to be fine.
      
      Link: http://lkml.kernel.org/r/20191027222714.5313-1-david@redhat.com
      Fixes: 00d6c019 ("mm/memory_hotplug: don't access uninitialized memmaps in shrink_pgdat_span()")
      Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Oscar Salvador <osalvador@suse.de>
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8b09a04
    • David Hildenbrand's avatar
      mm/memory_hotplug: don't access uninitialized memmaps in shrink_pgdat_span() · 6631def3
      David Hildenbrand authored
      commit 00d6c019 upstream.
      
      We might use the nid of memmaps that were never initialized.  For
      example, if the memmap was poisoned, we will crash the kernel in
      pfn_to_nid() right now.  Let's use the calculated boundaries of the
      separate zones instead.  This now also avoids having to iterate over a
      whole bunch of subsections again, after shrinking one zone.
      
      Before commit d0dc12e8 ("mm/memory_hotplug: optimize memory
      hotplug"), the memmap was initialized to 0 and the node was set to the
      right value.  After that commit, the node might be garbage.
      
      We'll have to fix shrink_zone_span() next.
      
      Link: http://lkml.kernel.org/r/20191006085646.5768-4-david@redhat.com
      Fixes: f1dd2cd1 ("mm, memory_hotplug: do not associate hotadded memory to zones until online")	[d0dc12e8]
      Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reported-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Cc: Oscar Salvador <osalvador@suse.de>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Wei Yang <richardw.yang@linux.intel.com>
      Cc: Alexander Duyck <alexander.h.duyck@linux.intel.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Anshuman Khandual <anshuman.khandual@arm.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Cc: Christophe Leroy <christophe.leroy@c-s.fr>
      Cc: Damian Tometzki <damian.tometzki@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Gerald Schaefer <gerald.schaefer@de.ibm.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Halil Pasic <pasic@linux.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Ira Weiny <ira.weiny@intel.com>
      Cc: Jason Gunthorpe <jgg@ziepe.ca>
      Cc: Jun Yao <yaojun8558363@gmail.com>
      Cc: Logan Gunthorpe <logang@deltatee.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Mike Rapoport <rppt@linux.ibm.com>
      Cc: Pankaj Gupta <pagupta@redhat.com>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Qian Cai <cai@lca.pw>
      Cc: Rich Felker <dalias@libc.org>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Cc: Steve Capper <steve.capper@arm.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Wei Yang <richard.weiyang@gmail.com>
      Cc: Will Deacon <will@kernel.org>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Cc: Yu Zhao <yuzhao@google.com>
      Cc: <stable@vger.kernel.org>	[4.13+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      6631def3
    • Matthew Wilcox (Oracle)'s avatar
      idr: Fix idr_get_next race with idr_remove · a16a3669
      Matthew Wilcox (Oracle) authored
      commit 5c089fd0 upstream.
      
      If the entry is deleted from the IDR between the call to
      radix_tree_iter_find() and rcu_dereference_raw(), idr_get_next()
      will return NULL, which will end the iteration prematurely.  We should
      instead continue to the next entry in the IDR.  This only happens if the
      iteration is protected by the RCU lock.  Most IDR users use a spinlock
      or semaphore to exclude simultaneous modifications.  It was noticed once
      the PID allocator was converted to use the IDR, as it uses the RCU lock,
      but there may be other users elsewhere in the kernel.
      
      We can't use the normal pattern of calling radix_tree_deref_retry()
      (which catches both a retry entry in a leaf node and a node entry in
      the root) as the IDR supports storing entries which are unaligned,
      which will trigger an infinite loop if they are encountered.  Instead,
      we have to explicitly check whether the entry is a retry entry.
      
      Fixes: 0a835c4f ("Reimplement IDR and IDA using the radix tree")
      Reported-by: default avatarBrendan Gregg <bgregg@netflix.com>
      Tested-by: default avatarBrendan Gregg <bgregg@netflix.com>
      Signed-off-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      a16a3669
    • Dan Carpenter's avatar
      net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() · 4c62337d
      Dan Carpenter authored
      commit a56dcc6b upstream.
      
      This code is supposed to test for negative error codes and partial
      reads, but because sizeof() is size_t (unsigned) type then negative
      error codes are type promoted to high positive values and the condition
      doesn't work as expected.
      
      Fixes: 332f989a ("CDC-NCM: handle incomplete transfer of MTU")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarNobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c62337d
    • Greg Kroah-Hartman's avatar
      Revert "OPP: Protect dev_list with opp_table lock" · 17a82bc6
      Greg Kroah-Hartman authored
      This reverts commit 4c64ce94 which is
      commit 3d255699 upstream.
      
      Turns out to break the build on the odroid machines, so it needs to be
      reverted.
      Reported-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Reported-by: default avatar"kernelci.org bot" <bot@kernelci.org>
      Cc: Niklas Cassel <niklas.cassel@linaro.org>
      Cc: Sasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17a82bc6
    • Julia Lawall's avatar
      tee: optee: add missing of_node_put after of_device_is_available · 4f4ab0b4
      Julia Lawall authored
      commit c7c0d8df upstream.
      
      Add an of_node_put when a tested device node is not available.
      
      The semantic patch that fixes this problem is as follows
      (http://coccinelle.lip6.fr):
      
      // <smpl>
      @@
      identifier f;
      local idexpression e;
      expression x;
      @@
      
      e = f(...);
      ... when != of_node_put(e)
          when != x = e
          when != e = x
          when any
      if (<+...of_device_is_available(e)...+>) {
        ... when != of_node_put(e)
      (
        return e;
      |
      + of_node_put(e);
        return ...;
      )
      }
      // </smpl>
      
      Fixes: db878f76 ("tee: optee: take DT status property into account")
      Signed-off-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Signed-off-by: default avatarJens Wiklander <jens.wiklander@linaro.org>
      Cc: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f4ab0b4
    • Hsin-Yi Wang's avatar
      i2c: mediatek: modify threshold passed to i2c_get_dma_safe_msg_buf() · 2008d0e3
      Hsin-Yi Wang authored
      commit bc1a7f75 upstream.
      
      DMA with zero-length transfers doesn't make sense and this HW doesn't
      support them at all, so increase the threshold.
      
      Fixes: fc66b39f ("i2c: mediatek: Use DMA safe buffers for i2c transactions")
      Signed-off-by: default avatarHsin-Yi Wang <hsinyi@chromium.org>
      [wsa: reworded commit message]
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2008d0e3
    • Leilk Liu's avatar
      spi: mediatek: use correct mata->xfer_len when in fifo transfer · 976e944e
      Leilk Liu authored
      commit a4d8f64f upstream.
      
      when xfer_len is greater than 64 bytes and use fifo mode
      to transfer, the actual length from the third time is mata->xfer_len
      but not len in mtk_spi_interrupt().
      Signed-off-by: default avatarLeilk Liu <leilk.liu@mediatek.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      976e944e
  2. 20 Nov, 2019 31 commits